security issues with flash applications (swf)
Recently I faced with a problem: swf application didn’t work properly. I’ve done troubleshooting and found out that there are some security specifics in flash that block cross site scripting. A cool feature when you know about it and simply annoying when you don’t know anything about it.
So here are some tips that might help anybody not to get stuck with the same problem.
1. If your SWF file loads some files from another domain, you should add a special XML file to your domain root:
crossdomain.xml
It should contain the code similar to
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="domain1.com" />
<allow-access-from domain="domain2.com" />
</cross-domain-policy>
As you might caught the idea, it should list the domains to files from which your action script should have access to.
2. If your SWF file links something to external websites, you may face with a problem when your flash buttons don’t work. You should use special flash parameter to resolve the issue:
allowscriptaccess
set it to “always”.